9.Ch_13_Digital Signature and Authentication Protocols

Embed Size (px)

DESCRIPTION

Information Security Notes

Citation preview

  • Digital Signature and Authentication

    Protocols

  • Asst. Prof. Shreyas Patel 2

    Introduction

    A digital signature is an authentication mechanism that enablesthe creator of a message to attach a code that acts as asignature. The signature is formed by taking the hash of themessage and encrypting the message with the creators privatekey. The signature guarantees the source and integrity of themessage.

    Mutual authentication protocols enable communicating partiesto satisfy themselves mutually about each others identity andto exchange session keys.

    In one-way authentication, the receipt wants some assurancethat message is form the alleged sender.

    4/9/2014

  • Asst. Prof. Shreyas Patel 3

    Digital Signature

    Message authentication protects two parties who exchange

    messages from any third party.

    However, it does not protect the two parties against each other.

    Several forms of dispute between the two are possible.

    For example, suppose that john sends an authenticated

    message to mary, using one of the scheme of fig. 11.4.

    consider the following dispute that could arise:

    1. mary may create a different message and claim that it came

    from jonh. Mary would simply have to create a message and

    append an authentication code using the key that john and

    mary share.

    4/9/2014

  • Asst. Prof. Shreyas Patel 4

    Digital Signature (Conti)

    2. john can deny sending the message. Because it is possible

    for mary to create a message, there is no way to prove that

    john did in fact send the message.

    Here is example of first scenario: an electronic funds transfer

    takes place, and the receiver increases the amount of funds

    transferred and claims that the larger amount had arrived from

    the sender.

    An example of the second scenario is that an electronic mail

    message contains instructions to a stockbroker for a

    transaction subsequently turns out badly. The sender pretends

    that the message was never sent.

    4/9/2014

  • Asst. Prof. Shreyas Patel 5

    Digital Signature (Conti)

    In situations where there is not complete trust between sender

    and receiver, something more than authentication is needed.

    The most attractive solution to this problem is the digital

    signature.

    It must have the following properties:

    It must verify the author and the data and time of the signature.

    It must to authenticate the contents at the time of the signature.

    It must be verifiable by third parties, to resolve disputes.

    4/9/2014

  • Generic Model of Digital Signature Process

    4/9/2014 Asst. Prof. Shreyas Patel 6

  • Simplified Depiction of Essential Elements of Digital

    Signature Process

    4/9/2014 Asst. Prof. Shreyas Patel 7

  • Asst. Prof. Shreyas Patel 8

    Direct Digital Signature

    The direct digital signature involves only the communicating

    parties (source, destination).

    It is assumed that the destination knows the public key of the

    source.

    A digital signature may be formed by encrypting the entire

    message with the senders private key or encrypting a hash

    code of the message with the senders private key.

    All direct schemes describe so far share a common weakness.

    The validity of the scheme depends on the security of the

    senders private key.

    If sender later wishes to deny sending a particular message, the

    sender can claim that the private key was lost or stolen and

    that someone else created his or her signature.

    4/9/2014

  • Asst. Prof. Shreyas Patel 9

    Arbitrated Digital Signature

    The problems associated with direct digital signatures can be

    addressed by using an arbiter.

    In arbitrated signature, every singed message from a sender X

    to a receiver Y goes first to an arbiter A, who subjects the

    message and its signature to a number of tests to check its

    origin content.

    The message is then dated and sent to Y with an indication

    that it has been verified to the satisfaction of the arbiter.

    The presence of A solves the problem faced by direct

    signature schemes: that X might disown the message.

    The arbiter plays a sensitive and crucial role in this sort of

    scheme, and all parties must have a great deal of trust that the

    arbitration mechanism is working properly.

    4/9/2014

  • Asst. Prof. Shreyas Patel 10

    Arbitrated Digital Signature (Conti)

    4/9/2014

  • Asst. Prof. Shreyas Patel 11

    Arbitrated Digital Signature (Conti)

    It is assumed that the sender X and the arbiter A share a secret

    key Kxa and that A and Y share secret key Kay.

    X constructs a message M and computes its hash value H(M).

    Then X transmits the message plus a signature to A.

    The signature consists of an identifier IDx of X plus the hash

    value, all encrypted using Kxa.

    A decrypts the signature and checks the hash value to validate

    the message.

    Then A transmits a message to Y, encrypted with Kay.

    The message includes IDx, the original message from X, the

    signature, and a timestamp.

    Y can decrypt this to recover the message and the signature.

    4/9/2014

  • Asst. Prof. Shreyas Patel 12

    Arbitrated Digital Signature (Conti)

    The timestamp informs Y that this message is timely and not a

    replay.

    Y can store M and the signature.

    4/9/2014

  • Asst. Prof. Shreyas Patel 13

    Digital Signature Standard

    The National Institute of Standards and Technology (NIST) has

    publish federal information processing standards FIPS 186,

    known as the Digital Signature Standard (DSS).

    The DSS makes use of the secure hash algorithm (SHA) and

    present a new digital signature technique the digital signature

    algorithm (DSA).

    The DSS originally proposed in 1991 and revised in 1993 in

    response to public feedback concerning the security of the

    scheme.

    4/9/2014

  • Asst. Prof. Shreyas Patel 14

    Digital Signature Standard (Conti)

    The DSS Approach:

    The DSS uses an algorithm that is designed to provide only

    digital function.

    Unlike RSA it cannot be used for encryption or key exchange.

    Nevertheless it is a public-key technique.

    Figure 13.1 contrasts the DSS approach for generating

    signature to that RSA.

    4/9/2014

  • Asst. Prof. Shreyas Patel 15

    Digital Signature Standard (Conti)

    4/9/2014

  • Asst. Prof. Shreyas Patel 16

    Digital Signature Standard (Conti)

    In RSA based approach only sender knows the private key,

    only the sender could have produced a valid signature.

    The DSS approach also makes use of a hash function.

    The hash code is provided as input to a signature function

    along with a random number k generated for this particular

    signature.

    The signature function also depends on the private key (PRa)

    and global public key (PUg).

    The result is a signature consisting of two components labeled

    s and r.

    4/9/2014

  • Asst. Prof. Shreyas Patel 17

    Digital Signature Standard (Conti)

    At the receiving end, the hash code of the incoming message is

    generated.

    This plus the signature is input to a verification function.

    The output of the verification function is a value that is equal to

    the signature component r if the signature is valid.

    The signature function is such that only the sender with the

    knowledge of the private key could have produced the valid

    signature.

    4/9/2014

  • Asst. Prof. Shreyas Patel 18

    Kerberos

    Kerberos is an authentication service developed as part ofProject Athena at MIT.

    Rather than building in elaborate authentication protocol ateach server, Kerberos provides a centralized authenticationserver whose function is to authenticate users to servers andservers to users.

    Unlike most other authentication schemes, Kerberos reliesexclusively on symmetric encryption, making no use of public-key encryption.

    Two versions of Kerberos are in common use: v4 & v5.

    4/9/2014

  • Asst. Prof. Shreyas Patel 19

    Kerberos

    Kerberos support following approch for security.

    It requires the user to prove his or her identity for each service invoked.Also require that servers prove their identity to clients.

    Kerberos assumes a distributed client/server architecture and

    employs one or more kerberos server to provide an

    authentication service.

    Kerberos identified requirements as:

    secure

    reliable

    transparent

    scalable

    4/9/2014

  • Asst. Prof. Shreyas Patel 20

    Kerberos v4 Overview

    The core of Kerberos is the Authentication and Ticket Granting Servers these are trusted by all users and servers and must be securely administered.

    The protocol includes a sequence of interactions between the client, AS,TGT and desired server.

    a basic third-party authentication scheme

    have an Authentication Server (AS)

    users initially negotiate with AS to identify self

    AS provides a non-corruptible authentication credential (ticket grantingticket TGT)

    have a Ticket Granting server (TGS)

    users subsequently request access to other services from TGS on basis ofusers TGT

    4/9/2014

  • Asst. Prof. Shreyas Patel 21

    Kerberos v4 Dialogue

    4/9/2014

    1. obtain ticket granting ticket from AS

    once per session

    2. obtain service granting ticket from TGT

    for each distinct service required

    3. client/server exchange to obtain service

    on every service request

  • Asst. Prof. Shreyas Patel 22

    Kerberos v4 Overview

    4/9/2014

  • Asst. Prof. Shreyas Patel 23

    Kerberos v4 Realms

    4/9/2014

    A full-service Kerberos environment consisting of a

    Kerberos server, a number of clients, and a number of

    application servers is referred to as a Kerberos realm.

    A Kerberos realm is a set of managed nodes that

    share the same Kerberos database, and are part of the

    same administrative domain.

    If have multiple realms, their Kerberos servers must

    share keys and trust each other.

  • Asst. Prof. Shreyas Patel 24

    Kerberos v4 Realms

    4/9/2014

  • Asst. Prof. Shreyas Patel 25

    Kerberos v4 Realms

    4/9/2014

    Figure shows the authentication messages whereservice is being requested from another domain.

    The ticket presented to the remote server indicates therealms in which the user was originally authenticated.

    The server chooses whether to honor the remoterequest.

    One problem presented by the foregoing approach isthat it does not scale well to many realms, as eachpair of realms need to share a key.

  • Asst. Prof. Shreyas Patel 26

    X.509 CERTIFICATES

    4/9/2014

    X.509 is part of the X.500 series of recommendations that

    define a directory service.

    The directory is, in effect, a server or distributed set of servers

    that maintains a database of information about users.

    The information includes a mapping from user name to

    network address, as well as other attributes and information

    about the users.

    X.509 defines a framework for the provision of authentication

    services by the X.500 directory to its users.

  • Asst. Prof. Shreyas Patel 27

    X.509 CERTIFICATES

    4/9/2014

    X.509 is based on the use of public-key cryptography and

    digital signatures.

    The heart of the X.509 scheme is the public-key certificate

    associated with each user.

    These user certificates are assumed to be created by some

    trusted certification authority (CA) and placed in the directory

    by the CA or by the user.

    The directory server itself is not responsible for the creation of

    public keys or for the certification function; it merely provides

    an easily accessible location for users to obtain certificates.

  • Asst. Prof. Shreyas Patel 28

    Generation of public key certificates

    4/9/2014

  • Asst. Prof. Shreyas Patel 29

    X.509 Certificates

    4/9/2014

  • Asst. Prof. Shreyas Patel 30

    X.509 CERTIFICATES

    4/9/2014

    Version: Differentiates among successive versions of the certificate

    format; the default is version 1. 2 and 3 are also possible.

    Serial number: An integer value unique within the issuing CA that

    is unambiguously associated with this certificate.

    Signature algorithm identifier: The algorithm used to sign the

    certificate together with any associated parameters. Because this

    information is repeated in the signature field at the end of the

    certificate.

    Issuer name: X.500 is the name of the CA that created and signed

    this certificate.

  • Asst. Prof. Shreyas Patel 31

    X.509 CERTIFICATES

    4/9/2014

    Period of validity: Consists of two dates: the first and last on which

    the certificate is valid.

    Subject name: The name of the user to whom this certificate

    refers.That is, this certificate certifies the public key of the subject

    who holds the corresponding private key.

    Subjects public-key information: The public key of the subject,

    plus an identifier of the algorithm for which this key is to be used,

    together with any associated parameters.

    Issuer unique identifier: An optional-bit string field used to

    identify uniquely the issuing CA in the event the X.500 name has

    been reused for different entities.

  • Asst. Prof. Shreyas Patel 32

    X.509 CERTIFICATES

    4/9/2014

    Subject unique identifier: An optional-bit string field used to

    identify uniquely the subject in the event the X.500 name has been

    reused for different entities.

    Extensions: A set of one or more extension fields. Extensions were

    added in version 3.

    Signature: Covers all of the other fields of the certificate; it

    contains the hash code of the other fields encrypted with the CAs

    private key.This field includes the signature algorithm identifier.

  • Asst. Prof. Shreyas Patel 33

    X.509 CERTIFICATES

    4/9/2014

  • Asst. Prof. Shreyas Patel 34

    X.509 CERTIFICATES

    4/9/2014

    Because certificates are unforgeable, they can be placed in a

    directory without the need for the directory to make special efforts

    to protect them.

    All user certificates can be placed in the directory for access by all

    users.

    In addition,a user can transmit his or her certificate directly to other

    users.

    In either case, once B is in possession of As certificate, B has

    confidence that messages it encrypts with As public key will be

    secure from eavesdropping and that messages signed with As

    private key are unforgeable.

  • Asst. Prof. Shreyas Patel 35